Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2017-18258

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-08 Apr, 2018 | 17:00
Updated At-05 Aug, 2024 | 21:13
Rejected At-
Credits

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:08 Apr, 2018 | 17:00
Updated At:05 Aug, 2024 | 21:13
Rejected At:
▼CVE Numbering Authority (CNA)

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
mailing-list
x_refsource_MLIST
https://usn.ubuntu.com/3739-1/
vendor-advisory
x_refsource_UBUNTU
https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
x_refsource_MISC
https://kc.mcafee.com/corporate/index?page=content&id=SB10284
x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20190719-0001/
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
mailing-list
x_refsource_MLIST
Hyperlink: https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
Resource:
mailing-list
x_refsource_MLIST
Hyperlink: https://usn.ubuntu.com/3739-1/
Resource:
vendor-advisory
x_refsource_UBUNTU
Hyperlink: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Resource:
x_refsource_MISC
Hyperlink: https://kc.mcafee.com/corporate/index?page=content&id=SB10284
Resource:
x_refsource_CONFIRM
Hyperlink: https://security.netapp.com/advisory/ntap-20190719-0001/
Resource:
x_refsource_CONFIRM
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
Resource:
mailing-list
x_refsource_MLIST
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
mailing-list
x_refsource_MLIST
x_transferred
https://usn.ubuntu.com/3739-1/
vendor-advisory
x_refsource_UBUNTU
x_transferred
https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
x_refsource_MISC
x_transferred
https://kc.mcafee.com/corporate/index?page=content&id=SB10284
x_refsource_CONFIRM
x_transferred
https://security.netapp.com/advisory/ntap-20190719-0001/
x_refsource_CONFIRM
x_transferred
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: https://usn.ubuntu.com/3739-1/
Resource:
vendor-advisory
x_refsource_UBUNTU
x_transferred
Hyperlink: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://kc.mcafee.com/corporate/index?page=content&id=SB10284
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://security.netapp.com/advisory/ntap-20190719-0001/
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:08 Apr, 2018 | 17:29
Updated At:10 Sep, 2020 | 01:15

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.06.5MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary2.04.3MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
Type: Primary
Version: 3.0
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Type: Primary
Version: 2.0
Base score: 4.3
Base severity: MEDIUM
Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CPE Matches
libxml2 (XMLSoft)
xmlsoft
>>libxml2>>Versions before 2.9.6(exclusive)
cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Primarynvd@nist.gov
CWE ID: CWE-770
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bbcve@mitre.org
Patch
Vendor Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10284cve@mitre.org
N/A
https://lists.debian.org/debian-lts-announce/2018/09/msg00035.htmlcve@mitre.org
N/A
https://lists.debian.org/debian-lts-announce/2020/09/msg00009.htmlcve@mitre.org
N/A
https://security.netapp.com/advisory/ntap-20190719-0001/cve@mitre.org
N/A
https://usn.ubuntu.com/3739-1/cve@mitre.org
N/A
Hyperlink: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory
Hyperlink: https://kc.mcafee.com/corporate/index?page=content&id=SB10284
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20190719-0001/
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://usn.ubuntu.com/3739-1/
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

110Records found
CVE-2017-12144
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.19% / 41.10%
||
7 Day CHG~0.00%
Published-02 Aug, 2017 | 05:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ytnef 1.9.2, an allocation failure was found in the function TNEFFillMapi in ytnef.c, which allows attackers to cause a denial of service via a crafted file.

Action-Not Available
Vendor-ytnef_projectn/a
Product-ytnefn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-6610
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 66.69%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 20:43
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_r2007.c.

Action-Not Available
Vendor-n/aGNUopenSUSE
Product-libredwgbackportsleapn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-3912
Matching Score-4
Assigner-Cloudflare, Inc.
ShareView Details
Matching Score-4
Assigner-Cloudflare, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.55% / 67.53%
||
7 Day CHG~0.00%
Published-11 Nov, 2021 | 21:45
Updated-16 Sep, 2024 | 23:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OctoRPKI crashes when processing GZIP bomb returned via malicious repository

OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).

Action-Not Available
Vendor-Debian GNU/LinuxCloudflare, Inc.
Product-octorpkidebian_linuxoctorpki
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-27029
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 52.30%
||
7 Day CHG~0.00%
Published-15 Dec, 2020 | 16:01
Updated-04 Aug, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In TextView of TextView.java, there is a possible app hang due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-140218875

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-20
Improper Input Validation
CVE-2020-19464
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.16% / 37.09%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 17:09
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been found in function XRef::fetch in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow .

Action-Not Available
Vendor-flowpapern/a
Product-pdf2jsonn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-19463
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.16% / 37.09%
||
7 Day CHG~0.00%
Published-21 Jul, 2021 | 17:09
Updated-04 Aug, 2024 | 14:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been found in function vfprintf in PDF2JSON 0.70 that allows attackers to cause a Denial of Service due to a stack overflow.

Action-Not Available
Vendor-flowpapern/a
Product-pdf2jsonn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-18899
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.18%
||
7 Day CHG~0.00%
Published-19 Aug, 2021 | 00:00
Updated-15 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An uncontrolled memory allocation in DataBufdata(subBox.length-sizeof(box)) function of Exiv2 0.27 allows attackers to cause a denial of service (DOS) via a crafted input.

Action-Not Available
Vendor-n/aExiv2
Product-exiv2n/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-15213
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4||MEDIUM
EPSS-0.22% / 44.10%
||
7 Day CHG~0.00%
Published-25 Sep, 2020 | 18:50
Updated-04 Aug, 2024 | 13:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service in tensorflow-lite

In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger a denial of service by causing an out of memory allocation in the implementation of segment sum. Since code uses the last element of the tensor holding them to determine the dimensionality of output tensor, attackers can use a very large value to trigger a large allocation. The issue is patched in commit 204945b19e44b57906c9344c0d00120eeeae178a and is released in TensorFlow versions 2.2.1, or 2.3.1. A potential workaround would be to add a custom `Verifier` to limit the maximum value in the segment ids tensor. This only handles the case when the segment ids are stored statically in the model, but a similar validation could be done if the segment ids are generated at runtime, between inference steps. However, if the segment ids are generated as outputs of a tensor during inference steps, then there are no possible workaround and users are advised to upgrade to patched code.

Action-Not Available
Vendor-Google LLCTensorFlow
Product-tensorflowtensorflow
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-15570
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.31% / 53.83%
||
7 Day CHG~0.00%
Published-06 Jul, 2020 | 13:59
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.

Action-Not Available
Vendor-whoopsie_projectn/a
Product-whoopsien/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-46050
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.11% / 29.69%
||
7 Day CHG~0.00%
Published-07 Jan, 2022 | 22:10
Updated-04 Aug, 2024 | 04:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Stack Overflow vulnerability exists in Binaryen 103 via the printf_common function.

Action-Not Available
Vendor-webassemblyn/a
Product-binaryenn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found